mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 11:03:47 +03:00
Minor drei update
This commit is contained in:
parent
7d9cd0c079
commit
2791ea51ea
|
@ -2484,6 +2484,18 @@ def getBytes(value, encoding=UNICODE_ENCODING, errors="strict"):
|
||||||
|
|
||||||
return retVal
|
return retVal
|
||||||
|
|
||||||
|
def getOrds(value):
|
||||||
|
"""
|
||||||
|
Returns ORD(...) representation of provided string value
|
||||||
|
|
||||||
|
>>> getOrds(u'fo\xf6bar')
|
||||||
|
[102, 111, 246, 98, 97, 114]
|
||||||
|
>>> getOrds(b"fo\xc3\xb6bar")
|
||||||
|
[102, 111, 195, 182, 98, 97, 114]
|
||||||
|
"""
|
||||||
|
|
||||||
|
return [_ if isinstance(_, int) else ord(_) for _ in value]
|
||||||
|
|
||||||
def longestCommonPrefix(*sequences):
|
def longestCommonPrefix(*sequences):
|
||||||
"""
|
"""
|
||||||
Returns longest common prefix occuring in given sequences
|
Returns longest common prefix occuring in given sequences
|
||||||
|
@ -3635,8 +3647,8 @@ def maskSensitiveData(msg):
|
||||||
"""
|
"""
|
||||||
Masks sensitive data in the supplied message
|
Masks sensitive data in the supplied message
|
||||||
|
|
||||||
>>> maskSensitiveData('python sqlmap.py -u "http://www.test.com/vuln.php?id=1" --banner')
|
>>> maskSensitiveData('python sqlmap.py -u "http://www.test.com/vuln.php?id=1" --banner') == 'python sqlmap.py -u *********************************** --banner'
|
||||||
u'python sqlmap.py -u *********************************** --banner'
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
retVal = getUnicode(msg)
|
retVal = getUnicode(msg)
|
||||||
|
|
|
@ -17,7 +17,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
|
||||||
from lib.core.enums import OS
|
from lib.core.enums import OS
|
||||||
|
|
||||||
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
||||||
VERSION = "1.3.5.2"
|
VERSION = "1.3.5.3"
|
||||||
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
||||||
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
||||||
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
||||||
|
|
|
@ -5,12 +5,18 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.common import getOrds
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
class Syntax(GenericSyntax):
|
class Syntax(GenericSyntax):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def escape(expression, quote=True):
|
def escape(expression, quote=True):
|
||||||
|
"""
|
||||||
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHR(97)&CHR(98)&CHR(99)&CHR(100)&CHR(101)&CHR(102)&CHR(103)&CHR(104) FROM foobar"
|
||||||
|
True
|
||||||
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "&".join("CHR(%d)" % ord(_) for _ in value)
|
return "&".join("CHR(%d)" % _ for _ in getOrds(value))
|
||||||
|
|
||||||
return Syntax._escape(expression, quote, escaper)
|
return Syntax._escape(expression, quote, escaper)
|
||||||
|
|
|
@ -5,17 +5,18 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.common import getOrds
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
class Syntax(GenericSyntax):
|
class Syntax(GenericSyntax):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def escape(expression, quote=True):
|
def escape(expression, quote=True):
|
||||||
"""
|
"""
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
|
||||||
'SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar'
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "||".join("CHR(%d)" % ord(_) for _ in value)
|
return "||".join("CHR(%d)" % _ for _ in getOrds(value))
|
||||||
|
|
||||||
return Syntax._escape(expression, quote, escaper)
|
return Syntax._escape(expression, quote, escaper)
|
||||||
|
|
|
@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.common import getOrds
|
||||||
from lib.core.common import isDBMSVersionAtLeast
|
from lib.core.common import isDBMSVersionAtLeast
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
|
@ -15,16 +16,16 @@ class Syntax(GenericSyntax):
|
||||||
>>> from lib.core.common import Backend
|
>>> from lib.core.common import Backend
|
||||||
>>> Backend.setVersion('2.0')
|
>>> Backend.setVersion('2.0')
|
||||||
['2.0']
|
['2.0']
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT 'abcdefgh' FROM foobar"
|
||||||
"SELECT 'abcdefgh' FROM foobar"
|
True
|
||||||
>>> Backend.setVersion('2.1')
|
>>> Backend.setVersion('2.1')
|
||||||
['2.1']
|
['2.1']
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT ASCII_CHAR(97)||ASCII_CHAR(98)||ASCII_CHAR(99)||ASCII_CHAR(100)||ASCII_CHAR(101)||ASCII_CHAR(102)||ASCII_CHAR(103)||ASCII_CHAR(104) FROM foobar"
|
||||||
'SELECT ASCII_CHAR(97)||ASCII_CHAR(98)||ASCII_CHAR(99)||ASCII_CHAR(100)||ASCII_CHAR(101)||ASCII_CHAR(102)||ASCII_CHAR(103)||ASCII_CHAR(104) FROM foobar'
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "||".join("ASCII_CHAR(%d)" % ord(_) for _ in value)
|
return "||".join("ASCII_CHAR(%d)" %_ for _ in getOrds(value))
|
||||||
|
|
||||||
retVal = expression
|
retVal = expression
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.common import getOrds
|
||||||
from lib.core.compat import xrange
|
from lib.core.compat import xrange
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
|
@ -12,11 +13,11 @@ class Syntax(GenericSyntax):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def escape(expression, quote=True):
|
def escape(expression, quote=True):
|
||||||
"""
|
"""
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar"
|
||||||
'SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar'
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "||".join("CHAR(%d)" % ord(value[i]) for i in xrange(len(value)))
|
return "||".join("CHAR(%d)" % _ for _ in getOrds(value))
|
||||||
|
|
||||||
return Syntax._escape(expression, quote, escaper)
|
return Syntax._escape(expression, quote, escaper)
|
||||||
|
|
|
@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.common import getOrds
|
||||||
from lib.core.compat import xrange
|
from lib.core.compat import xrange
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
|
@ -12,11 +13,11 @@ class Syntax(GenericSyntax):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def escape(expression, quote=True):
|
def escape(expression, quote=True):
|
||||||
"""
|
"""
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar"
|
||||||
'SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar'
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "||".join("CHAR(%d)" % ord(value[i]) for i in xrange(len(value)))
|
return "||".join("CHAR(%d)" % _ for _ in getOrds(value))
|
||||||
|
|
||||||
return Syntax._escape(expression, quote, escaper)
|
return Syntax._escape(expression, quote, escaper)
|
||||||
|
|
|
@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission
|
||||||
|
|
||||||
import re
|
import re
|
||||||
|
|
||||||
|
from lib.core.common import getOrds
|
||||||
from lib.core.common import isDBMSVersionAtLeast
|
from lib.core.common import isDBMSVersionAtLeast
|
||||||
from lib.core.common import randomStr
|
from lib.core.common import randomStr
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
@ -18,12 +19,12 @@ class Syntax(GenericSyntax):
|
||||||
>>> from lib.core.common import Backend
|
>>> from lib.core.common import Backend
|
||||||
>>> Backend.setVersion('12.10')
|
>>> Backend.setVersion('12.10')
|
||||||
['12.10']
|
['12.10']
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
|
||||||
'SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar'
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "||".join("CHR(%d)" % ord(_) for _ in value)
|
return "||".join("CHR(%d)" % _ for _ in getOrds(value))
|
||||||
|
|
||||||
retVal = expression
|
retVal = expression
|
||||||
|
|
||||||
|
|
|
@ -11,8 +11,8 @@ class Syntax(GenericSyntax):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def escape(expression, quote=True):
|
def escape(expression, quote=True):
|
||||||
"""
|
"""
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == u"SELECT 'abcdefgh' FROM foobar"
|
||||||
"SELECT 'abcdefgh' FROM foobar"
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
return expression
|
return expression
|
||||||
|
|
|
@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.common import getOrds
|
||||||
from lib.core.compat import xrange
|
from lib.core.compat import xrange
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
|
@ -12,11 +13,13 @@ class Syntax(GenericSyntax):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def escape(expression, quote=True):
|
def escape(expression, quote=True):
|
||||||
"""
|
"""
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+CHAR(101)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar"
|
||||||
'SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+CHAR(101)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar'
|
True
|
||||||
|
>>> Syntax.escape(u"SELECT 'abcd\xebfgh' FROM foobar") == "SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+NCHAR(235)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar"
|
||||||
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "+".join("%s(%d)" % ("CHAR" if ord(value[i]) < 256 else "NCHAR", ord(value[i])) for i in xrange(len(value)))
|
return "+".join("%s(%d)" % ("CHAR" if _ < 128 else "NCHAR", _) for _ in getOrds(value))
|
||||||
|
|
||||||
return Syntax._escape(expression, quote, escaper)
|
return Syntax._escape(expression, quote, escaper)
|
||||||
|
|
|
@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission
|
||||||
import binascii
|
import binascii
|
||||||
|
|
||||||
from lib.core.common import getBytes
|
from lib.core.common import getBytes
|
||||||
|
from lib.core.common import getOrds
|
||||||
from lib.core.common import getUnicode
|
from lib.core.common import getUnicode
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
|
@ -15,11 +16,16 @@ class Syntax(GenericSyntax):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def escape(expression, quote=True):
|
def escape(expression, quote=True):
|
||||||
"""
|
"""
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT 0x6162636465666768 FROM foobar"
|
||||||
'SELECT 0x6162636465666768 FROM foobar'
|
True
|
||||||
|
>>> Syntax.escape(u"SELECT 'abcd\xebfgh' FROM foobar") == "SELECT CONVERT(0x61626364c3ab666768 USING utf8) FROM foobar"
|
||||||
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "0x%s" % getUnicode(binascii.hexlify(getBytes(value)))
|
if all(_ < 128 for _ in getOrds(value)):
|
||||||
|
return "0x%s" % getUnicode(binascii.hexlify(getBytes(value)))
|
||||||
|
else:
|
||||||
|
return "CONVERT(0x%s USING utf8)" % getUnicode(binascii.hexlify(getBytes(value)))
|
||||||
|
|
||||||
return Syntax._escape(expression, quote, escaper)
|
return Syntax._escape(expression, quote, escaper)
|
||||||
|
|
|
@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.common import getOrds
|
||||||
from lib.core.compat import xrange
|
from lib.core.compat import xrange
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
|
@ -12,11 +13,13 @@ class Syntax(GenericSyntax):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def escape(expression, quote=True):
|
def escape(expression, quote=True):
|
||||||
"""
|
"""
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
|
||||||
'SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar'
|
True
|
||||||
|
>>> Syntax.escape(u"SELECT 'abcd\xebfgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||NCHR(235)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
|
||||||
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "||".join("%s(%d)" % ("CHR" if ord(value[i]) < 256 else "NCHR", ord(value[i])) for i in xrange(len(value)))
|
return "||".join("%s(%d)" % ("CHR" if _ < 128 else "NCHR", _) for _ in getOrds(value))
|
||||||
|
|
||||||
return Syntax._escape(expression, quote, escaper)
|
return Syntax._escape(expression, quote, escaper)
|
||||||
|
|
|
@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.common import getOrds
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
class Syntax(GenericSyntax):
|
class Syntax(GenericSyntax):
|
||||||
|
@ -14,11 +15,11 @@ class Syntax(GenericSyntax):
|
||||||
Note: PostgreSQL has a general problem with concenation operator (||) precedence (hence the parentheses enclosing)
|
Note: PostgreSQL has a general problem with concenation operator (||) precedence (hence the parentheses enclosing)
|
||||||
e.g. SELECT 1 WHERE 'a'!='a'||'b' will trigger error ("argument of WHERE must be type boolean, not type text")
|
e.g. SELECT 1 WHERE 'a'!='a'||'b' will trigger error ("argument of WHERE must be type boolean, not type text")
|
||||||
|
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT (CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104)) FROM foobar"
|
||||||
'SELECT (CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104)) FROM foobar'
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "(%s)" % "||".join("CHR(%d)" % ord(_) for _ in value) # Postgres CHR() function already accepts Unicode code point of character(s)
|
return "(%s)" % "||".join("CHR(%d)" % _ for _ in getOrds(value)) # Postgres CHR() function already accepts Unicode code point of character(s)
|
||||||
|
|
||||||
return Syntax._escape(expression, quote, escaper)
|
return Syntax._escape(expression, quote, escaper)
|
||||||
|
|
|
@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission
|
||||||
import binascii
|
import binascii
|
||||||
|
|
||||||
from lib.core.common import getBytes
|
from lib.core.common import getBytes
|
||||||
|
from lib.core.common import getUnicode
|
||||||
from lib.core.common import isDBMSVersionAtLeast
|
from lib.core.common import isDBMSVersionAtLeast
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
|
@ -18,17 +19,17 @@ class Syntax(GenericSyntax):
|
||||||
>>> from lib.core.common import Backend
|
>>> from lib.core.common import Backend
|
||||||
>>> Backend.setVersion('2')
|
>>> Backend.setVersion('2')
|
||||||
['2']
|
['2']
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT 'abcdefgh' FROM foobar"
|
||||||
"SELECT 'abcdefgh' FROM foobar"
|
True
|
||||||
>>> Backend.setVersion('3')
|
>>> Backend.setVersion('3')
|
||||||
['3']
|
['3']
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
|
||||||
"SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
# Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
|
# Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
|
||||||
return "CAST(X'%s' AS TEXT)" % binascii.hexlify(getBytes(value))
|
return "CAST(X'%s' AS TEXT)" % getUnicode(binascii.hexlify(getBytes(value)))
|
||||||
|
|
||||||
retVal = expression
|
retVal = expression
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,11 @@
|
||||||
#!/usr/bin/env python2
|
1#!/usr/bin/env python2
|
||||||
|
|
||||||
"""
|
"""
|
||||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.common import getOrds
|
||||||
from lib.core.compat import xrange
|
from lib.core.compat import xrange
|
||||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||||
|
|
||||||
|
@ -12,11 +13,13 @@ class Syntax(GenericSyntax):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def escape(expression, quote=True):
|
def escape(expression, quote=True):
|
||||||
"""
|
"""
|
||||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+CHAR(101)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar"
|
||||||
'SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+CHAR(101)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar'
|
True
|
||||||
|
>>> Syntax.escape(u"SELECT 'abcd\xebfgh' FROM foobar") == "SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+TO_UNICHAR(235)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar"
|
||||||
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def escaper(value):
|
def escaper(value):
|
||||||
return "+".join("%s(%d)" % ("CHAR" if ord(value[i]) < 256 else "TO_UNICHAR", ord(value[i])) for i in xrange(len(value)))
|
return "+".join("%s(%d)" % ("CHAR" if _ < 128 else "TO_UNICHAR", _) for _ in getOrds(value))
|
||||||
|
|
||||||
return Syntax._escape(expression, quote, escaper)
|
return Syntax._escape(expression, quote, escaper)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user